Significant new amendments to the Privacy Act were enacted last month. The following is an edited excerpt from our recently released ebook Privacy Governance: A Guide to Privacy Risk and Opportunity for Directors and Boards written by Malcolm Crompton FAICD, a former Australian privacy commissioner.
The first privacy principles affecting wider private sector entities came into effect as new provisions in the Privacy Act on 21 December 2001. These principles were completely re-written by Parliament in 2012 and came into effect on 12 March 2014. They are now called the Australian Privacy Principles (APPs) and are designed to balance an individual’s right to privacy with an entity’s legitimate need to collect, use and disclose personal information. They cover both private sector and federal public sector and ACT entities. It is essential that the entities they cover consider how they comply with the provisions and take action.
Along with ensuring entities that hold information about people handle that information responsibly, the APPs give people some control over the way it is handled. Entities can also be bound by a registered APP code that spells out obligations in more detail, imposes additional obligations or covers other matters. An entity may develop, and be bound by, an APP code by choice, or the code may be developed at the request of the Privacy Commissioner to protect the public interest (Privacy Act section 26E).
The APPs seek to be applicable in any circumstance and, as such, apply equally to physical, electronic and digital environments. This should ensure the legislation works in practice now and in the future. The APPs also reflect ideas about privacy developed internationally and, in particular, the OECD guidelines governing the protection of privacy and transborder flows of personal data (1980).
For the past 20 years, the global adoption of new data privacy laws has increased rapidy to include countries in Asia, South America and Africa. This decade has seen the most intensive period of privacy law development in its 40-year history. If this trend continues, countries without privacy law will soon be in the minority.
The following briefly explains what the APPs mean for business entities:
APP 2: Anonymity and pseudonymity – requires an entity to give individuals the option of not identifying themselves or of using a pseudonym. Some exceptions apply.
APP 3: Collection of solicited personal information – outlines when an entity can collect personal information that is solicited. It applies higher standards to the collection of sensitive information.
APP 4: Dealing with unsolicited personal information – outlines how an entity must deal with unsolicited personal information.
APP 5: Notification of the collection of personal information – outlines when and in what circumstances an entity collecting personal information must notify an individual of specified matters.
APP 6: Use or disclosure of personal information – outlines the circumstances in which an entity may use or disclose personal information that it holds.
APP 7: Direct marketing – outlines the conditions for using or disclosing personal information for direct marketing purposes.
APP 8: Cross-border disclosure of personal information – outlines the steps an entity must take to protect personal information before disclosing it overseas.
APP 9: Adoption, use or disclosure of government-related identifiers – outlines the limited circumstances when an entity may use or disclose a government related identifier of an individual, or adopt it as its own identifier.
APP 10: Quality of personal information – an entity must take reasonable steps to ensure the personal information it collects is accurate, up-to-date and complete. It must also take reasonable steps to ensure the information it uses or discloses is accurate, up-to-date, complete and relevant, having regard to the purpose of the use or disclosure.
APP 11: Security of personal information – an entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. It has obligations to destroy or de-identify personal information in certain cases.
APP 12: Access to personal information – outlines an entity’s obligations when individuals ask for access to personal information held about them. It must provide access unless a specific exception applies.
APP 13: Correction of personal information – outlines an entity’s obligations in relation to correcting the personal information it holds about individuals.
It is the responsibility of directors and boards to assess whether senior management has successfully implemented these practices within the entity.
Already a member?
Login to view this content